The identity theft red flags rule (the Identity Theft Red Flags Rule) under Federal Reserve Board (FRB) Regulation V requires financial institutions, including banks, finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and any “creditor” holding any consumer account or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an identity theft prevention program in connection with new and existing accounts. In February 2013, the FRB proposed to amend its Identity Theft Red Flags Rule (the Proposed Rule) to narrow the scope of the definition of “creditor” to exclude persons who sell a product or service for which the consumer can pay later, such as persons who do not regularly and in the ordinary course of business: obtain or use consumer reports in connection with a credit transaction; furnish information to consumer reporting agencies in connection with a credit transaction; or advance funds to or on behalf of a person. On May 22, 2014, the FRB issued the final amendments to its Identity Theft Red Flag Rule (the Final Rule). The FRB’s Final Rule is substantially similar to the Proposed Rule with only a minor revision to reflect statutory change in the FRB’s rulemaking authority. The new Identity Theft Red Flag Rule definition of creditor under FRB Regulation V still includes banks and other financial institutions, regardless of whether they meet the revised definition. However, doctors, lawyers and other professionals that allow consumers to delay payment are no longer required to maintain an identity theft prevention program in connection with new and existing accounts. The FRB amended its Identity Theft Red Flags Rule definition of creditor to be consistent with definition adopted in December 2010 by the Federal Trade Commission and other federal agencies under the Red Flag Clarification Act.